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Abstract 

Several simple yet secure protocols to authenticate the quantum channel of various QKD schemes, by coupling 
the photon sender's knowledge of a shared secret and the QBER Bob observes, are presented. It is shown that 
Alice can encrypt certain portions of the information needed for the QKD protocols, using a sequence whose 
security is based on computational-complexity, without compromising all of the sequence's entropy. It is then 
shown that after a Man-in-the-Middle attack on the quantum and classical channels, there is still enough entropy 
left in the sequence for Bob to detect the presence of Eve by monitoring the QBER. Finally, it is shown that 
the principles presented can be implemented to authenticate the quantum channel associated with any type of 
QKD scheme, and they can also be used for Alice to authenticate Bob. 



1 Introduction 

Quantum Key Distribution (QKD) has gained consid- 
erable interest in the academic and commercial sectors 
in recent years because of its ability to offer absolute 
security against all attacks that can be carried out on 
classical and quantum computers. This is in stark con- 
trast to current classical public-key schemes that have 
been shown to be vulnerable to attacks on a quantum 
computer £Q. However, these same classical schemes do 
have a significant advantage in that they can be used to 
authenticate messages and eliminate Man-in-the-Middle 
attacks, at least when Eve (the adversary) is limited to 
a classical computer. In the absence of an authenticated 
public channel, most QKD protocols, such as BB84 0, 
are not secure against Man-in-the-Middle attacks. 

The current method to secure commercially viable 
QKD protocols against such an attack is to authenticate 
the classical communications between Alice and Bob. 
This prevents Eve from establishing key with either one 
because she would not be able to carry out the clas- 
sical communications necessary for the protocols, and 
she would be limited to attacks that increase Bob's ob- 
served quantum bit error rate (QBER). The Wegman- 
Carter authentication scheme [3] and variations thereof 

seem to be the most commonly implemented methods 
to authenticate QKD public channels. They also seem 
to be sufficient to protect against Man-in-the-Middle at- 
tacks. However, these schemes do not actually authenti- 
cate the users of a quantum channel, and there could be 
situations where this is desired. 

There have been several quantum authentication pro- 
tocols developed for the purpose of authenticating quan- 
tum messages |S] [H] [7], with much of the focus being on 
the use of entanglement. A quantum message is a nor- 
mal message sent over a quantum channel using quan- 
tum codes. On the other hand, only random bits are 



transmitted over the quantum channel in QKD, and all 
messages are sent over the classical channel. In many of 
the quantum message authentication schemes, a shared 
secret is used to encrypt a message that is transmit- 
ted using one of several quantum codes. An imposter 
is then detected by monitoring the errors in the code 
words. One problem these schemes have is the inherent 
structure in the codes and Eve's ability to take advantage 
of possible correlations between two sequential bits, re- 
sulting from the structures of quantum codes. However, 
in QKD, there are no bit-to-bit correlations, assuming a 
perfectly random raw bit sequence, so it seems reason- 
able that QKD could be simpler to authenticate than a 
quantum message. In this article, it is shown that the 
quantum-based security of entanglement-based authen- 
tication may not be necessary, and that computational- 
complexity-based schemes are sufficient to authenticate 
the quantum channel of a QKD system. 



Four protocols are presented, each of which requires 
only a shared secret and a key-expansion function, in 
addition to the standard QKD protocols, to detect an 
imposter. Through examples of Man-in-the-Middle at- 
tacks, it is shown that even though information about 
the shared secret will be leaked to Eve during a QKD ses- 
sion, as long as determining the shared secret (given the 
expanded key) requires more computation than is possi- 
ble in a few seconds, there is enough entropy remaining 
in the expanded key for Bob to detect the presence of an 
imposter by monitoring the QBER. Finally, it is shown 
that the basic principles used for these protocols can be 
implemented to authenticate the quantum channel as- 
sociated with any type of QKD scheme, and that these 
protocols can also be used for Alice to authenticate Bob. 
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2 Protocols 

Consider the situation where Alice and Bob are going 
to generate key using BB84 and have an n-bit shared 
secret K, where n is chosen based on the level of desired 
security. Also suppose that Alice and Bob have agreed 
on a key expansion function F(), which need not be kept 
secret, that they consider secure from time-limited cryp- 
tographic attacks on both classical and quantum com- 
puters. The time it takes to determine K given F(K) 
needs to be longer than the time it takes to perform a 
QKD session. 

For notational purposes, let F(K) 1 be the i th bit 
of the expanded sequence, which is synchronized with 
clocks at Alice and Bob. Let x l and y 1 be Alice's bit 
and basis choice at time t, and let z* be Bob's basis 
choice. Let the observable being used (phase, polariza- 
tion, orbital angular momentum, ...) be represented by 
T, and let the two conjugate bases be denoted by T and 
Ti. To put the notation into context, the quantum por- 
tion of BB84 is carried out when Alice sends T y t = x* 
and Bob measures T z t . 

Each of the protocols below allow Bob, after Error 
Correction (EC), to conclude whether or not the photons 
originated with an impersonator, as well as whether or 
not he communicated with an impersonator during ei- 
ther sifting or EC, depending on the protocol. That is 
not to say that these protocols protect against the possi- 
bility that Eve is intercepting information, which is the 
purpose of the actual QKD protocol, but it does say that 
the information did not originate with Eve. 

Note that F(K), which is a pseudo-random bit se- 
quence, will not be available to Eve for analysis until 
she has recovered the random bit stream with which it 
is combined, such as Alice's bit or basis choices, because 
a random stream Xored with any stream produces a 
random stream. So, Eve will not even be able to begin 
working on the recovery of K until after EC. It should 
also be noted that in the protocols below, la and 2a have 
timing limitations that 16 and 26 do not. Namely, la and 
2a are only secure if Eve does not have the opportunity 
to complete the entire Alice-Eve session before starting 
Eve-Bob because Eve can simply omit sending a photon 
to Bob for the times that correspond to j € {t} for which 
he did not learn F(K)i, and Bob would attribute a lack 
of detection events to attenuation of the photons. Con- 
versely, 16 and 2b force Eve to use a continuous stream 
of F(K) starting at F(K)°, so she cannot avoid times 
for which she does not know F(Ky. Also note that the 
timing requirement for the first two protocols is not un- 
reasonable and can easily be met. 

Protocol l.a 

1. (a) Alice sends a photon with T y t = x l © F(Ky . 

(b) Bob measures T z t , and records 
x n = I> © F(K)*. 



(c) This step continues until enough photons have 
been sent for Bob to accurately calculate the 
QBER. 

2. Alice and Bob perform bit distillation. Alice pub- 
licly discloses the set of her basis choices, {y}. Bob 
then compares {y} to {z} and publicly discloses a 
list of the times that have valid bits. (Alice — ► Bob 
Sifting using {y} and {z}) 

3. Alice and Bob perform EC on the bits of {x} and 
{x'} retained after sifting, using some agreed-upon 
scheme such as CASCADE 8 . There is a possi- 
bility that the error correction scheme used does 
not correct all of the errors, but corrects for some 
maximum error rate, A, with a high degree of cer- 
tainty. A could either be a limitation of the cor- 
rection scheme or Alice's unwillingness to correct 
more than a certain number of errors. For simplic- 
ity, suppose that QBER < A implies there will 
be no errors left after EC (with some degree of 
certainty) and QBER > A implies there will be 
about a (QBER — A) error rate after EC. 

4. Bob makes a conclusion about the security of the 
error-corrected bits. If the QBER is too high, Bob 
concludes that either Eve has gained too much in- 
formation concerning the key that he established 
with Alice (standard BB84 conclusion) or that Al- 
ice did not send the original photons (conclusion 
concerning the authenticity of the photons). 

5. Either Alice and Bob perform privacy amplifica- 
tion to create final keys, or they start over. 

6. Alice and Bob create a new K. Alice and Bob 
take n secure bits, either pre-placed or established 
during a QKD session, and create a new K to au- 
thenticate the next QKD session. 



Protocol l.b 

1. (a) Alice sends a photon with Y y t — x*. 

(b) Bob measures T z t , and records x n — T z t . 

(c) This step continues until enough photons have 
been sent for Bob to accurately calculate the 
QBER. 

2. Alice — > Bob Sifting using {y} and {z}. Bob and 
Alice then apply the stream F(K) to the bits re- 
tained after sifting with a bit-wise Xor. 

3. Alice and Bob perform EC on the bits of F(K) 
applied to the bits of {x} and {x'} retained after 
sifting. 

4. Bob makes a conclusion about the security of the 
error-corrected bits. 
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5. Either Alice and Bob perform privacy amplifica- 
tion to create final keys, or they start over. 

6. Alice and Bob create a new K. 
Security of Protocol 1 

The QBER for these protocols is a function of T be- 
ing measured and any tampering that may occur on the 
quantum channel as well as the original sender's knowl- 
edge of the F(K ) sequence. If the established QBER 
is sufficiently low, Bob concludes that the person he is 
communicating with for the EC, over the classical chan- 
nel, either knows (T y t and F(Kf) or (x* and F(Kf), 
for the half of the time slots that correspond to his de- 
tection events. This doesn't directly guarantee that the 
photon was originally sent by Alice, but rather guaran- 
tees that the person Bob is communicating with for the 
EC, over the classical channel, has knowledge that only 
the sender of the photons would have as well as knowl- 
edge of F(K), which only Alice has. Put another way, 
this protocol guarantees that Bob is communicating clas- 
sically with the sender of the photons for the EC, and 
that the sender knows F(K). Therefore, the original 
sender must be Alice. 

To understand the security of these protocols, con- 
sider the following Man-in-the-Middle attack against 
Protocol l.a, assuming the timing restrictions for Pro- 
tocol 1 noted above, have been met. 

1. (a) Alice sends a photon with T y t = x l © F(K) 1 . 

(b) Eve measures T^t , and records x* = T^* . 

(c) Eve sends a photon with — £*, where \1/ 
and r are the same observable. 

(d) Bob measures z t, and records 
x l = * z « © F(Kf. 

(e) This step continues until enough photons have 
been sent for Bob to accurately calculate the 
QBER. 

2. Alice and Eve perform bit distillation. Alice sends 
Eve the set of her basis choices, {y}. Eve then 
compares {y} to {/z} and sends Alice a list of which 
bits to include, with about half of them being dis- 
carded. (Alice — > Eve sifting) 

3. Alice and Eve perform EC. Eve didn't know F(K), 
so she has a .50 error rate in her key, relative to 
Alice. After EC, Eve still has a a = max{0, (.50 — 
A) } error rate for the bits retained after sifting. If 
A is sufficiently small, this could prevent Eve from 
establishing perfect keys with Alice, and could al- 
low Alice to detect an imposter while Alice and 
Eve are communicating with the keys. 

After EC, Eve's F(K), for the bits corresponding 
to events retained after sifting, has an error rate 
of a, and her error rate for the complete F(K) is 
then (.25+ f). 



4. Eve and Bob perform bit distillation. Eve sends 
Bob the set of her basis choices, {v}. Bob then 
compares {v} to {z} and sends Eve a list of which 
bits to include, with about half of them being dis- 
carded (Eve — > Bob Sifting). As long as Eve did 
not know {y} prior to (Alice — > Eve Sifting) and 
did not know {z} prior to (Eve — > Bob Sifting), 
about half of the bits retained by Bob and Eve 
will correspond to bits retained by Eve and Alice. 

5. Eve and Bob perform EC. Eve's total error rate of 
F(K) is (.25 + §), so her key will have a (.25 + f ) 
error rate relative to Bob's key. 

6. Bob will calculate a .25 < (QBER = .25+f ) < .50 
and conclude that Eve must be involved. 

An analogous Man-in-the-Middle attack carried out 
against l.b would have similar results in practice, but 
without the timing restriction. Against l.b the attack 
would, in theory, induce a QBER = a which implies < 
QBER < .5. However, keeping in mind that the most 
trivial attacks against QKD produce a QBER = .25, it is 
unlikely that Alice would allow A > .25 and therefore, in 
practice, Bob will also calculate .25 < (QBER = a) < .5 
with protocol l.b. Also note that during attacks on l.a 
and l.b, through interactive EC with Bob, Eve can take 
advantage of some of the information she gains during 
the interaction to ensure that the QBER appears to be 
a little lower than it actually is. This threat can be elim- 
inated by using forward error correction, during which 
no information is leaked by Bob back to Eve. 

Protocol 2. a 

1. (a) Alice sends a photon with T y t BF ^ K y = x*. 

(b) Bob measures T z t^ F / K \t, and records 

x =^z t ®F(K) t - 

(c) This step continues until enough photons have 
been sent for Bob to accurately calculate the 
QBER. 

2. Alice — > Bob Sifting using {y} and {z} 

3. Alice and Bob perform EC on the bits of {x} and 
{x 1 } retained after sifting. 

4. Bob makes a conclusion about the security of the 
error-corrected bits. 

5. Either Alice and Bob perform privacy amplifica- 
tion, or they start over. 

6. Alice and Bob create a new K. 
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Protocol 2.b 

1. (a) Alice sends a photon with Y y t = x f . 

(b) Bob measures T z t , and records x n = T z t . 

(c) This step continues until enough photons have 
been sent for Bob to accurately calculate the 
QBER. 

2. Bob publicly discloses a list of the times for which 
he had a detection event. Alice and Bob remove 
their basis choices for times that do not corre- 
spond to detection events to create the sets {y 1 } 
and {z 1 } respectively. Alice — > Bob Sifting using 
{y'}®F(K) and {z'}®F{K). 

3. Alice and Bob perform EC on the bits of {x} and 
{x'} retained after sifting. 

4. Bob makes a conclusion about the security of the 
error-corrected bits. 

5. Either Alice and Bob perform privacy amplifica- 
tion, or they start over. 

6. Alice and Bob create a new K. 
Security of Protocol 2 

These protocols offer similar assurances to Bob as Pro- 
tocols l.a and l.b, except that they guarantee, after EC, 
that the person with which he performed sifting is some- 
one that knows information that only the sender of the 
photon and Alice could know. In particular, after EC, 
Bob knows that he performed the sifting with someone 
who knew both {y} and F(K), otherwise, he would have 
randomly selected which bits to use for the EC and would 
have a substantial error rate. Therefore, the original 
sender must be Alice. 

The QBER is a function of T being measured and any 
tampering that may occur on the quantum channel, in 
addition to the original sender not knowing the correct 
F(K) sequence that was Xored to Alices's basis stream. 
When Bob is trying to perform EC with a user that does 
not know F(K), the error rate will be inflated because 
Bob would have randomly selected his bits from all of the 
bits, roughly half of which are in the wrong basis. Note 
that, unlike in Protocol 1, the knowledge Eve can gain 
during interactive EC will not help her reduce the QBER 
induced by her not knowing the correct basis during the 
sifting. So, for protocols 2. a and 2.b, Eve does not gain 
an advantage by performing interactive EC with Bob as 
opposed to forward EC. 

To understand the security of these two protocols, 
consider the following Man-in-the-Middle attack against 
Protocol 2. a, assuming that the timing restrictions for 
Protocol 2 noted above, have been met (similar se- 
curity when carried out against Protocol 2.b, but with- 
out the timing restrictions). 



Allow for the possibility that Alice-Eve EC is com- 
pleted after Eve-Bob photon transmission, but before 
Eve-Bob sifting. 

1. Eve creates a set of times {r} that correspond to 
bits of F(K) she intends to learn. 

2. (a) Alice sends a photon with r y t eF ( K y = x f . 

(b) Eve measures T^t , and records x* = T^t . 

(c) Eve sends a photon with ty v t = £* if t € {r}, 
where ^ and T are the same observable. 

(d) Bob measures ^ z t ®F(K) t ^ an d records 
x n = ^ zt(BF{K y if t G {t}. 

(c) This step continues until enough bits have 
been sent for Bob to accurately calculate the 
QBER. 

3. Alice and Eve perform bit distillation. Alice sends 
Eve the set {y}. Eve tells Alice that they agreed 
on the basis selection for the times t <E {r} 

4. Alice and Eve perform EC. Eve didn't know F{K), 
so she has a .25 error rate in her key, relative to 
Alice. After EC, Eve still has a (.25 - A) error rate 
for the bits retained after sifting. Again, A could 
be chosen to prevent Eve from establishing perfect 
keys with Alice, and could allow Alice to detect the 
imposter while Alice and Eve are communicating 
with the keys as input to their encryption systems. 

To understand what Eve knows after EC with Al- 
ice, consider the fact that Eve knows y* and fi* for 
all t. Through EC she learns y l © ^ n\ 

t G {t}, for some number of errors, which is suf- 
ficient to calculate F(K) 1 for these times. For 
the times that she had the correct bit value, Eve 
doesn't know ify* ©F(iT)* = (J or ]iy*®F{K) t ^ 
//. Therefore, Eve's copy of {F{K ) T }, the bits of 
F{K) that correspond to possible detection events 
at Bob, has a (7 = max{^-, ^5^}) error rate. 

5. Eve and Bob perform bit distillation. Eve sends 
Bob the set {v} © F(K'), where F(K') is Eve's 
flawed version of F(K). Bob then compares {v} © 
F(K') to {z} and sends Eve a list of which bits to 
include. This set of events will be about half of the 
events included by Eve and Alice. 

6. Eve and Bob perform EC. Eve's error rate of 
{F(K') T } is 7, so her key will have a (^) error 
rate relative to Bob's key. 

7. Bob will calculate a .1675 < (QBER = 2) < .25 
and conclude that Eve must be involved. 
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3 Conclusions 

The security of the shared-secret authentication lies in 
Eve's inability to predict the secret bits, so it is impera- 
tive that the secret bits be well protected until Bob has 
a chance to verify the sender's identity. In each of the 
above protocols Alice leaks information about F(K) to 
the person with whom she is performing EC, so F(K) is 
not completely secure. However, as long as determining 
K from F(K) is a relatively computationally-intensive 
process, then there is enough entropy in the shared secret 
during the QKD session to prevent Eve from successfully 
carrying out a Man-in-the-Middle attack. 

The significance of these protocols is that each of 
them could easily be implemented in current QKD sys- 
tems and would only require minor software modifica- 
tions. Each of the protocols can be used to authenticate 
the quantum channel of prepare-and-measure QKD sys- 
tems, such as BB84. However, note that in Protocol 
2.b, Alice only has to know her basis choice when she 
performs sifting and not when actually sending the pho- 
tons. This feature allows 2.b to actually be used for any 
2-Basis QKD schemes that require bit distillation and 
EC, even entanglement schemes. Similarly, Protocol l.b 
only relies on Alice and Bob having a bit stream with 
errors and a shared secret, implying that it can be used 
with all QKD schemes, even no-switching QKD UJ, as 
long as the QKD schemes require EC. 

Suppose that the roles in the sifting and EC were re- 
versed, such that Bob's key prior to EC was assumed to 
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